[PATCH v2 0/5] scripts: rockchip: fix and cleanup rkimage

[PATCH v2 0/5] scripts: rockchip: fix and cleanup rkimage

[Michael Tretter]

This series prepares the Rockchip tooling for creating and handling
signed images. The patch series for adding code to sign the images will
follow as a second step.

Fix the wrong size when calculating the hash over the image header.
Rename the hashtype field in the header to flags, because there are
other flags in this field, too. Extend the rk-usb-loader to accept
signed images and load signed images to a board via USB.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
Changes in v2:
- Switch order of Patch 2 and Patch 3 to define flags before using them
- Drop double negation in flags check
- Link to v1: https://lore.kernel.org/r/20250731-rkimage-cleanup-v1-0-967037e5d67a@pengutronix.de

---
Michael Tretter (5):
      scripts: rockchip: use correct header size
      scripts: rockchip: rename hashtype to flags
      scripts: rockchip: add helper for updating hash
      scripts: rockchip: rename NEWIDB_MAGIC to NEWIDB_MAGIC_RKNS
      scripts: rockchip: support RKSS images

 scripts/rk-usb-loader.c |  7 ++++---
 scripts/rkimage.c       | 24 ++++++++++++++++--------
 scripts/rockchip.h      |  8 ++++++--
 3 files changed, 26 insertions(+), 13 deletions(-)
---
base-commit: 89bf1fcc998fc5fea0ce613d9930dd9ee39c0fb2
change-id: 20250731-rkimage-cleanup-611572232b66

Best regards,
-- 
Michael Tretter <m.tretter@pengutronix.de>

[PATCH v2 1/5] scripts: rockchip: use correct header size

[Michael Tretter]

The hash should include the entire header, which is actually 1536 bytes
long. It seems that the hash is not checked for unsigned images and thus
this wasn't an issue until now.

If the hash is used for signing the image, hashing 1535 bytes instead of
1536 bytes causes a verification failure.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
Changes in v2:
- none
---
 scripts/rkimage.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index b31893fe8f451b4c70dfb55005529ac21cc74156..ba89f32d9376d0153692baa3ddde1c793c1e4cc2 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -98,9 +98,9 @@ static int create_newidb(struct newidb *idb)
 	}
 
 	if (hash_type == HASH_TYPE_SHA256)
-		sha256(idbu8, 1535, idbu8 + 1536);
+		sha256(idbu8, 1536, idbu8 + 1536);
 	else if (hash_type == HASH_TYPE_SHA512)
-		sha512(idbu8, 1535, idbu8 + 1536);
+		sha512(idbu8, 1536, idbu8 + 1536);
 
 	return 0;
 }

-- 
2.39.5

[PATCH v2 2/5] scripts: rockchip: rename hashtype to flags

[Michael Tretter]

The hashtype is actually a bitfield that contains flags for the
different hash types and other information. Rename the field to flags
and add constants for the flags in this field.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
Changes in v2:
- none
---
 scripts/rkimage.c  | 5 +++--
 scripts/rockchip.h | 5 ++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index ba89f32d9376d0153692baa3ddde1c793c1e4cc2..4c972746cdabbc831b0b5c0024e840c81b1c1120 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -66,11 +66,12 @@ static int create_newidb(struct newidb *idb)
 
 	idb->magic = NEWIDB_MAGIC;
 	idb->n_files = (n_code << 16) | (1 << 7) | (1 << 8);
+	idb->flags = 0;
 
 	if (hash_type == HASH_TYPE_SHA256)
-		idb->hashtype = (1 << 0);
+		idb->flags |= NEWIDB_FLAGS_SHA256;
 	else if (hash_type == HASH_TYPE_SHA512)
-		idb->hashtype = (1 << 1);
+		idb->flags |= NEWIDB_FLAGS_SHA512;
 
 	if (!keep_cert)
 		image_offset = 4;
diff --git a/scripts/rockchip.h b/scripts/rockchip.h
index 2d060fdefe909118d157a7aafef3284a35679fe3..8033878b34d369c7e291f38fd2a4beaaf395556b 100644
--- a/scripts/rockchip.h
+++ b/scripts/rockchip.h
@@ -3,6 +3,9 @@
 
 #define NEWIDB_MAGIC 0x534e4b52 /* 'RKNS' */
 
+#define NEWIDB_FLAGS_SHA256	(1U << 0)
+#define NEWIDB_FLAGS_SHA512	(1U << 1)
+
 struct newidb_entry {
 	uint32_t sector;
 	uint32_t unknown_ffffffff;
@@ -16,7 +19,7 @@ struct newidb {
 	uint32_t magic;
 	unsigned char unknown1[4];
 	uint32_t n_files;
-	uint32_t hashtype;
+	uint32_t flags;
 	unsigned char unknown2[8];
 	unsigned char unknown3[8];
 	unsigned char unknown4[88];

-- 
2.39.5

[PATCH v2 3/5] scripts: rockchip: add helper for updating hash

[Michael Tretter]

The idb contains a flag for the used hash type. Use the flag to
determine the used hash function and update the hash accordingly.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
Changes in v2:
- Drop double negation in flag check
---
 scripts/rkimage.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index 4c972746cdabbc831b0b5c0024e840c81b1c1120..be2267aa38b505312c131638d743b42faaf8978c 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -42,6 +42,17 @@ static void sha512(const void *buf, int len, void *out)
 	EVP_MD_CTX_free(md_ctx);
 }
 
+static void idb_hash(struct newidb *idb)
+{
+	unsigned char *idbu8 = (void *)idb;
+	size_t size = 1536;
+
+	if (idb->flags & NEWIDB_FLAGS_SHA256)
+		sha256(idbu8, size, idbu8 + size);
+	else if (idb->flags & NEWIDB_FLAGS_SHA512)
+		sha512(idbu8, size, idbu8 + size);
+}
+
 typedef enum {
 	HASH_TYPE_SHA256 = 1,
 	HASH_TYPE_SHA512 = 2,
@@ -62,7 +73,6 @@ static int create_newidb(struct newidb *idb)
 	bool keep_cert = false;
 	int image_offset;
 	int i;
-	unsigned char *idbu8 = (void *)idb;
 
 	idb->magic = NEWIDB_MAGIC;
 	idb->n_files = (n_code << 16) | (1 << 7) | (1 << 8);
@@ -98,10 +108,7 @@ static int create_newidb(struct newidb *idb)
 
 	}
 
-	if (hash_type == HASH_TYPE_SHA256)
-		sha256(idbu8, 1536, idbu8 + 1536);
-	else if (hash_type == HASH_TYPE_SHA512)
-		sha512(idbu8, 1536, idbu8 + 1536);
+	idb_hash(idb);
 
 	return 0;
 }

-- 
2.39.5

[PATCH v2 4/5] scripts: rockchip: rename NEWIDB_MAGIC to NEWIDB_MAGIC_RKNS

[Michael Tretter]

There are different magic values for different image types. Include the
type of magic in the name of the magic.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
Changes in v2:
- none
---
 scripts/rk-usb-loader.c | 4 ++--
 scripts/rkimage.c       | 2 +-
 scripts/rockchip.h      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/rk-usb-loader.c b/scripts/rk-usb-loader.c
index 2e0d5488deb9853dce8fea929a63d97e5aac9828..87b5e3e3060579bc0473a15a9ef1f86c0ee2b720 100644
--- a/scripts/rk-usb-loader.c
+++ b/scripts/rk-usb-loader.c
@@ -222,9 +222,9 @@ static int upload_image(const char *filename)
 
 	hdr = buf;
 
-	if (hdr->magic != NEWIDB_MAGIC) {
+	if (hdr->magic != NEWIDB_MAGIC_RKNS) {
 		log_error("%s has invalid magic 0x%08x ( != 0x%08x )\n", filename,
-			  hdr->magic, NEWIDB_MAGIC);
+			  hdr->magic, NEWIDB_MAGIC_RKNS);
 		exit(1);
 	}
 
diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index be2267aa38b505312c131638d743b42faaf8978c..d1a9f709c16ae5fb6277b4e02498209966594213 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -74,7 +74,7 @@ static int create_newidb(struct newidb *idb)
 	int image_offset;
 	int i;
 
-	idb->magic = NEWIDB_MAGIC;
+	idb->magic = NEWIDB_MAGIC_RKNS;
 	idb->n_files = (n_code << 16) | (1 << 7) | (1 << 8);
 	idb->flags = 0;
 
diff --git a/scripts/rockchip.h b/scripts/rockchip.h
index 8033878b34d369c7e291f38fd2a4beaaf395556b..c4cedfa5669e59506b7c2c32d53bbdafec0e0dac 100644
--- a/scripts/rockchip.h
+++ b/scripts/rockchip.h
@@ -1,7 +1,7 @@
 #ifndef __ROCKCHIP_H
 #define __ROCKCHIP_H
 
-#define NEWIDB_MAGIC 0x534e4b52 /* 'RKNS' */
+#define NEWIDB_MAGIC_RKNS 0x534e4b52
 
 #define NEWIDB_FLAGS_SHA256	(1U << 0)
 #define NEWIDB_FLAGS_SHA512	(1U << 1)

-- 
2.39.5

[PATCH v2 5/5] scripts: rockchip: support RKSS images

[Michael Tretter]

RKSS is the magic for signed images. Add this magic to the rk-usb-loader
to be able to load signed images via USB.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
Changes in v2:
- none
---
 scripts/rk-usb-loader.c | 7 ++++---
 scripts/rockchip.h      | 1 +
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/scripts/rk-usb-loader.c b/scripts/rk-usb-loader.c
index 87b5e3e3060579bc0473a15a9ef1f86c0ee2b720..c9769d79d3d4d487af5008e45e35c29ea3eba99e 100644
--- a/scripts/rk-usb-loader.c
+++ b/scripts/rk-usb-loader.c
@@ -222,9 +222,10 @@ static int upload_image(const char *filename)
 
 	hdr = buf;
 
-	if (hdr->magic != NEWIDB_MAGIC_RKNS) {
-		log_error("%s has invalid magic 0x%08x ( != 0x%08x )\n", filename,
-			  hdr->magic, NEWIDB_MAGIC_RKNS);
+	if (hdr->magic != NEWIDB_MAGIC_RKNS &&
+	    hdr->magic != NEWIDB_MAGIC_RKSS) {
+		log_error("%s has invalid magic 0x%08x\n",
+			  filename, hdr->magic);
 		exit(1);
 	}
 
diff --git a/scripts/rockchip.h b/scripts/rockchip.h
index c4cedfa5669e59506b7c2c32d53bbdafec0e0dac..ed915bdf593ca23aab2046b0997743babbbc371a 100644
--- a/scripts/rockchip.h
+++ b/scripts/rockchip.h
@@ -2,6 +2,7 @@
 #define __ROCKCHIP_H
 
 #define NEWIDB_MAGIC_RKNS 0x534e4b52
+#define NEWIDB_MAGIC_RKSS 0x53534b52
 
 #define NEWIDB_FLAGS_SHA256	(1U << 0)
 #define NEWIDB_FLAGS_SHA512	(1U << 1)

-- 
2.39.5

Re: [PATCH v2 0/5] scripts: rockchip: fix and cleanup rkimage

[Sascha Hauer]

On Tue, 05 Aug 2025 09:33:45 +0200, Michael Tretter wrote:
> This series prepares the Rockchip tooling for creating and handling
> signed images. The patch series for adding code to sign the images will
> follow as a second step.
> 
> Fix the wrong size when calculating the hash over the image header.
> Rename the hashtype field in the header to flags, because there are
> other flags in this field, too. Extend the rk-usb-loader to accept
> signed images and load signed images to a board via USB.
> 
> [...]

Applied, thanks!

[1/5] scripts: rockchip: use correct header size
      https://git.pengutronix.de/cgit/barebox/commit/?id=c18d35095359 (link may not be stable)
[2/5] scripts: rockchip: rename hashtype to flags
      https://git.pengutronix.de/cgit/barebox/commit/?id=6c4a4a53e5ed (link may not be stable)
[3/5] scripts: rockchip: add helper for updating hash
      https://git.pengutronix.de/cgit/barebox/commit/?id=962206c43dcb (link may not be stable)
[4/5] scripts: rockchip: rename NEWIDB_MAGIC to NEWIDB_MAGIC_RKNS
      https://git.pengutronix.de/cgit/barebox/commit/?id=e9fac66f7ca1 (link may not be stable)
[5/5] scripts: rockchip: support RKSS images
      https://git.pengutronix.de/cgit/barebox/commit/?id=b41d4972d9a9 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>